pseudo-random functionscseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · prf security adversary advantage...
TRANSCRIPT
![Page 1: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/1.jpg)
PSEUDO-RANDOM FUNCTIONS
Mihir Bellare UCSD 1
![Page 2: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/2.jpg)
Recall
We studied security of function families (in particular, block ciphers)against key recovery.
But we saw that security against key recovery is not sufficient to ensurethat natural usages of a block cipher are secure.
We want to answer the question:
What is a good block cipher?
where “good” means that natural uses of the block cipher are secure.
We could try to define “good” by a list of necessary conditions:
• Key recovery is hard
• Recovery of M from C = EK (M) is hard
• . . .
But this is neither necessarily correct nor appealing.Mihir Bellare UCSD 2
![Page 3: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/3.jpg)
Turing Intelligence Test
Q: What does it mean for a program to be “intelligent” in the sense of ahuman?
Possible answers:
• It can be happy
• It recognizes pictures
• It can multiply
• But only small numbers!
••
Clearly, no such list is a satisfactory answer to the question.
Mihir Bellare UCSD 3
![Page 4: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/4.jpg)
Turing Intelligence Test
Q: What does it mean for a program to be “intelligent” in the sense of ahuman?
Turing’s answer: A program is intelligent if its input/output behavior isindistinguishable from that of a human.
Mihir Bellare UCSD 4
![Page 5: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/5.jpg)
Turing Intelligence Test
Behind the wall:
• Room 1: The program P
• Room 0: A human
Mihir Bellare UCSD 5
![Page 6: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/6.jpg)
Turing Intelligence Test
Game:
• Put tester in room 0 and let it interact with object behind wall
• Put tester in rooom 1 and let it interact with object behind wall
• Now ask tester: which room was which?
The measure of “intelligence” of P is the extent to which the tester fails.
Mihir Bellare UCSD 6
![Page 7: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/7.jpg)
Real versus Ideal
Notion Real object Ideal object
Intelligence Program HumanPRF Block cipher ?
Mihir Bellare UCSD 7
![Page 8: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/8.jpg)
Real versus Ideal
Notion Real object Ideal object
Intelligence Program HumanPRF Block cipher Random function
Mihir Bellare UCSD 8
![Page 9: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/9.jpg)
Random functions
Game RandR // here R is a set
procedure Fn(x)
if T[x ] = ⊥ then T[x ]$← R
return T[x ]
Adversary A
• Make queries to Fn
• Eventually halts with some output
We denote by
Pr[RandA
R ⇒ d]
the probability that A outputs d
Mihir Bellare UCSD 9
![Page 10: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/10.jpg)
Random functions
Game Rand{0,1}3
procedure Fn(x)
if T[x ] = ⊥ then T[x ]$←{0, 1}3
return T[x ]
adversary Ay ← Fn(01)return (y = 000)
Pr[RandA
{0,1}3 ⇒ true]
=
2−3
Mihir Bellare UCSD 10
![Page 11: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/11.jpg)
Random functions
Game Rand{0,1}3
procedure Fn(x)
if T[x ] = ⊥ then T[x ]$←{0, 1}3
return T[x ]
adversary Ay ← Fn(01)return (y = 000)
Pr[RandA
{0,1}3 ⇒ true]
= 2−3
Mihir Bellare UCSD 11
![Page 12: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/12.jpg)
Random function
Game Rand{0,1}3
procedure Fn(x)
if T[x ] = ⊥ then T[x ]$←{0, 1}3
return T[x ]
adversary Ay1 ← Fn(00)y2 ← Fn(11)return (y1 = 010 ∧ y2 = 011)
Pr[RandA
{0,1}3 ⇒ true]
=
2−6
Mihir Bellare UCSD 12
![Page 13: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/13.jpg)
Random function
Game Rand{0,1}3
procedure Fn(x)
if T[x ] = ⊥ then T[x ]$←{0, 1}3
return T[x ]
adversary Ay1 ← Fn(00)y2 ← Fn(11)return (y1 = 010 ∧ y2 = 011)
Pr[RandA
{0,1}3 ⇒ true]
= 2−6
Mihir Bellare UCSD 13
![Page 14: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/14.jpg)
Random function
Game Rand{0,1}3
procedure Fn(x)
if T[x ] = ⊥ then T[x ]$←{0, 1}3
return T[x ]
adversary Ay1 ← Fn(00)y2 ← Fn(11)return (y1 ⊕ y2 = 101)
Pr[RandA
{0,1}3 ⇒ true]
=
2−3
Mihir Bellare UCSD 14
![Page 15: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/15.jpg)
Random function
Game Rand{0,1}3
procedure Fn(x)
if T[x ] = ⊥ then T[x ]$←{0, 1}3
return T[x ]
adversary Ay1 ← Fn(00)y2 ← Fn(11)return (y1 ⊕ y2 = 101)
Pr[RandA
{0,1}3 ⇒ true]
= 2−3
Mihir Bellare UCSD 15
![Page 16: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/16.jpg)
Recall: Function families
A family of functions (also called a function family) is a two-input functionF : Keys× D→ R. For K ∈ Keys we let FK : D→ R be defined byFK (x) = F (K , x) for all x ∈ D.
Examples:
• DES: Keys = {0, 1}56, D = R = {0, 1}64
• Any block cipher: D = R and each FK is a permutation
Mihir Bellare UCSD 16
![Page 17: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/17.jpg)
Real versus Ideal
Notion Real object Ideal object
PRF Family of functions Random function(eg. a block cipher)
F is a PRF if the input-output behavior of FK looks to a tester like theinput-output behavior of a random function.
Tester does not get the key K !
Mihir Bellare UCSD 17
![Page 18: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/18.jpg)
Games defining prf advantage of an adversary against F
Let F : Keys× D→ R be a family of functions.
Game RealF
procedure InitializeK
$← Keys
procedure Fn(x)Return FK (x)
Game RandR
procedure Fn(x)
if T[x ] = ⊥ then T[x ]$← R
Return T[x ]
Associated to F ,A are the probabilities
Pr[RealAF⇒1
]Pr[RandA
R⇒1]
that A outputs 1 in each world. The advantage of A is
AdvprfF (A) = Pr[RealAF⇒1
]− Pr
[RandA
R⇒1]
Mihir Bellare UCSD 18
![Page 19: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/19.jpg)
PRF advantage
A’s output d Intended meaning: I think I am in game
1 Real
0 Random
AdvprfF (A) ≈ 1 means A is doing well and F is not prf-secure.
AdvprfF (A) ≈ 0 (or ≤ 0) means A is doing poorly and F resists the attackA is mounting.
Mihir Bellare UCSD 19
![Page 20: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/20.jpg)
PRF security
Adversary advantage depends on its
• strategy
• resources: Running time t and number q of oracle queries
Security: F is a (secure) PRF if AdvprfF (A) is “small” for ALL A that use“practical” amounts of resources.
Example: 80-bit security could mean that for all n = 1, . . . , 80 we have
AdvprfF (A) ≤ 2−n
for any A with time and number of oracle queries at most 280−n.
Insecurity: F is insecure (not a PRF) if we can specify an A using “few”resources that achieves “high” advantage.
Mihir Bellare UCSD 20
![Page 21: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/21.jpg)
Example
Define F : {0, 1}` × {0, 1}` → {0, 1}` by FK (x) = K ⊕ x for allK , x ∈ {0, 1}`. Is F a secure PRF?
Game RealF
procedure InitializeK
$←{0, 1}`
procedure Fn(x)Return K ⊕ x
Game Rand{0,1}`
procedure Fn(x)
if T[x ] = ⊥ then T[x ]$←{0, 1}`
Return T[x ]
So we are asking: Can we design a low-resource A so that
AdvprfF (A) = Pr[RealAF⇒1
]− Pr
[RandA
{0,1}`⇒1]
is close to 1?
Exploitable weakness of F : For all K we have
FK (0`)⊕ FK (1`) = (K ⊕ 0`)⊕ (K ⊕ 1`) = 1`
Mihir Bellare UCSD 21
![Page 22: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/22.jpg)
Example
Define F : {0, 1}` × {0, 1}` → {0, 1}` by FK (x) = K ⊕ x for allK , x ∈ {0, 1}`. Is F a secure PRF?
Game RealF
procedure InitializeK
$←{0, 1}`
procedure Fn(x)Return K ⊕ x
Game Rand{0,1}`
procedure Fn(x)
if T[x ] = ⊥ then T[x ]$←{0, 1}`
Return T[x ]
So we are asking: Can we design a low-resource A so that
AdvprfF (A) = Pr[RealAF⇒1
]− Pr
[RandA
{0,1}`⇒1]
is close to 1?
Exploitable weakness of F : For all K we have
FK (0`)⊕ FK (1`) = (K ⊕ 0`)⊕ (K ⊕ 1`) = 1`
Mihir Bellare UCSD 22
![Page 23: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/23.jpg)
Example: The adversary
F : {0, 1}` × {0, 1}` → {0, 1}` is defined by FK (x) = K ⊕ x .
adversary Aif Fn(0`)⊕ Fn(1`) = 1` then return 1 else return 0
Mihir Bellare UCSD 23
![Page 24: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/24.jpg)
Example: Real game analysis
F : {0, 1}` × {0, 1}` → {0, 1}` is defined by FK (x) = K ⊕ x .
adversary Aif Fn(0`)⊕ Fn(1`) = 1` then return 1 else return 0
Game RealF
procedure InitializeK
$←{0, 1}`
procedure Fn(x)Return K ⊕ x
Pr[RealAF⇒1
]=
1
because
Fn(0`)⊕ Fn(1`) = FK (0`)⊕ FK (1`) = (K ⊕ 0`)⊕ (K ⊕ 1`) = 1`
Mihir Bellare UCSD 24
![Page 25: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/25.jpg)
Example: Real game analysis
F : {0, 1}` × {0, 1}` → {0, 1}` is defined by FK (x) = K ⊕ x .
adversary Aif Fn(0`)⊕ Fn(1`) = 1` then return 1 else return 0
Game RealF
procedure InitializeK
$←{0, 1}`
procedure Fn(x)Return K ⊕ x
Pr[RealAF⇒1
]= 1
because
Fn(0`)⊕ Fn(1`) = FK (0`)⊕ FK (1`) = (K ⊕ 0`)⊕ (K ⊕ 1`) = 1`
Mihir Bellare UCSD 25
![Page 26: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/26.jpg)
Example: Rand game analysis
F : {0, 1}` × {0, 1}` → {0, 1}` is defined by FK (x) = K ⊕ x .
adversary Aif Fn(0`)⊕ Fn(1`) = 1` then return 1 else return 0
Game Rand{0,1}`
procedure Fn(x)
if T[x ] = ⊥ then T[x ]$←{0, 1}`
Return T[x ]
Pr[RandA
{0,1}`⇒1]
=
Pr[Fn(1`)⊕ Fn(0`) = 1`
]= 2−`
because Fn(0`),Fn(1`) are random `-bit strings.
Mihir Bellare UCSD 26
![Page 27: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/27.jpg)
Example: Rand game analysis
F : {0, 1}` × {0, 1}` → {0, 1}` is defined by FK (x) = K ⊕ x .
adversary Aif Fn(0`)⊕ Fn(1`) = 1` then return 1 else return 0
Game Rand{0,1}`
procedure Fn(x)
if T[x ] = ⊥ then T[x ]$←{0, 1}`
Return T[x ]
Pr[RandA
{0,1}`⇒1]
= Pr[Fn(1`)⊕ Fn(0`) = 1`
]=
2−`
because Fn(0`),Fn(1`) are random `-bit strings.
Mihir Bellare UCSD 27
![Page 28: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/28.jpg)
Example: Rand game analysis
F : {0, 1}` × {0, 1}` → {0, 1}` is defined by FK (x) = K ⊕ x .
adversary Aif Fn(0`)⊕ Fn(1`) = 1` then return 1 else return 0
Game Rand{0,1}`
procedure Fn(x)
if T[x ] = ⊥ then T[x ]$←{0, 1}`
Return T[x ]
Pr[RandA
{0,1}`⇒1]
= Pr[Fn(1`)⊕ Fn(0`) = 1`
]= 2−`
because Fn(0`),Fn(1`) are random `-bit strings.
Mihir Bellare UCSD 28
![Page 29: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/29.jpg)
Example: Conclusion
F : {0, 1}` × {0, 1}` → {0, 1}` is defined by FK (x) = K ⊕ x .
adversary Aif Fn(0`)⊕ Fn(1`) = 1` then return 1 else return 0
Then
AdvprfF (A) =
1︷ ︸︸ ︷Pr[RealAF⇒1
]−
2−`︷ ︸︸ ︷Pr[RandA
{0,1}`⇒1]
= 1− 2−`
and A is efficient .
Conclusion: F is not a secure PRF.
Mihir Bellare UCSD 29
![Page 30: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/30.jpg)
Exercise
Define the family of functions F : {0, 1}128 × {0, 1}128 → {0, 1}128 byF (K ,M) = AES(M,K ). Show that F is not a secure PRF by presenting inpseudocode an adversary A such that
• AdvprfF (A) = 1− 2−128
• A makes at most 2 queries to its Fn oracle
• A is very efficient.
You must prove that your A has the above properties.
Mihir Bellare UCSD 30
![Page 31: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/31.jpg)
Exercise
Let G : {0, 1}k × {0, 1}l → {0, 1}l be a family of functions (it is arbitrarybut given, meaning known to the adversary) and let r ≥ 1 be an integer.The r -round Feistel cipher associated to G is the family of functionsG (r): {0, 1}k × {0, 1}2l → {0, 1}2l , defined as follows for any keyK ∈ {0, 1}k and input x ∈ {0, 1}2l :
Function G (r)(K , x)
L0‖R0 ← xFor i = 1, . . . , r do
Li ← Ri−1 ; Ri ← G (K ,Ri−1) ⊕ Li−1Return Lr‖Rr
By a‖b we are denoting the concatenation of strings a, b. (For example01‖10 = 0110.) In the first line, we are parsing x as x = L0‖R0 with|L0| = |R0| = l , meaning L0 is the first l bits of x and R0 is the rest.
Mihir Bellare UCSD 31
![Page 32: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/32.jpg)
Exercise
1. Show that G (1) is not a secure PRF by presenting in pseudocode apractical adversary A such that Advprf
G (1)(A) = 1− 2−l and A makesone Fn query.
2. Show that G (2) is not a secure PRF by presenting in pseudocode apractical adversary A such that Advprf
G (2)(A) = 1− 2−l and A makestwo Fn queries.
Mihir Bellare UCSD 32
![Page 33: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/33.jpg)
Exercise
Let F : {0, 1}k ×D → {0, 1}n be a family of functions and A an adversary.Prove that
AdvprfF (A) 6= 1 .
Mihir Bellare UCSD 33
![Page 34: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/34.jpg)
Birthday Problem
We have q people 1, . . . , q with birthdays y1, . . . , yq ∈ {1, . . . , 365}.Assume each person’s birthday is a random day of the year. Let
C (365, q) = Pr [2 or more persons have same birthday]
= Pr [y1, . . . , yq are not all different]
• What is the value of C (365, q)?
• How large does q have to be before C (365, q) is at least 1/2?
Naive intuition:
• C (365, q) ≈ q/365
• q has to be around 365
The reality
• C (365, q) ≈ q2/365
• q has to be only around 23
Mihir Bellare UCSD 34
![Page 35: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/35.jpg)
Birthday Problem
We have q people 1, . . . , q with birthdays y1, . . . , yq ∈ {1, . . . , 365}.Assume each person’s birthday is a random day of the year. Let
C (365, q) = Pr [2 or more persons have same birthday]
= Pr [y1, . . . , yq are not all different]
• What is the value of C (365, q)?
• How large does q have to be before C (365, q) is at least 1/2?
Naive intuition:
• C (365, q) ≈ q/365
• q has to be around 365
The reality
• C (365, q) ≈ q2/365
• q has to be only around 23
Mihir Bellare UCSD 35
![Page 36: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/36.jpg)
Birthday Problem
We have q people 1, . . . , q with birthdays y1, . . . , yq ∈ {1, . . . , 365}.Assume each person’s birthday is a random day of the year. Let
C (365, q) = Pr [2 or more persons have same birthday]
= Pr [y1, . . . , yq are not all different]
• What is the value of C (365, q)?
• How large does q have to be before C (365, q) is at least 1/2?
Naive intuition:
• C (365, q) ≈ q/365
• q has to be around 365
The reality
• C (365, q) ≈ q2/365
• q has to be only around 23Mihir Bellare UCSD 36
![Page 37: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/37.jpg)
Birthday collision bounds
C (365, q) is the probability that some two people have the same birthdayin a room of q people with random birthdays
q C (365, q)
15 0.253
18 0.347
20 0.411
21 0.444
23 0.507
25 0.569
27 0.627
30 0.706
35 0.814
40 0.891
50 0.970
Mihir Bellare UCSD 37
![Page 38: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/38.jpg)
Birthday Problem
Pick y1, . . . , yq$←{1, . . . ,N} and let
C (N, q) = Pr [y1, . . . , yq not all distinct]
Birthday setting: N = 365
Fact: C (N, q) ≈ q2
2N
Mihir Bellare UCSD 38
![Page 39: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/39.jpg)
Birthday Problem
Pick y1, . . . , yq$←{1, . . . ,N} and let
C (N, q) = Pr [y1, . . . , yq not all distinct]
Birthday setting: N = 365
Fact: C (N, q) ≈ q2
2N
Mihir Bellare UCSD 39
![Page 40: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/40.jpg)
Birthday collisions formula
Let y1, . . . , yq$←{1, . . . ,N}. Then
1− C (N, q) = Pr [y1, . . . , yq all distinct]
= 1 · N − 1
N· N − 2
N· · · · · N − (q − 1)
N
=
q−1∏i=1
(1− i
N
)so
C (N, q) = 1−q−1∏i=1
(1− i
N
)
Mihir Bellare UCSD 40
![Page 41: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/41.jpg)
Birthday bounds
LetC (N, q) = Pr [y1, . . . , yq not all distinct]
Fact: Then
0.3 · q(q − 1)
N≤ C (N, q) ≤ 0.5 · q(q − 1)
N
where the lower bound holds for 1 ≤ q ≤√
2N.
Mihir Bellare UCSD 41
![Page 42: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/42.jpg)
Block ciphers as PRFs
Let E : {0, 1}k × {0, 1}` → {0, 1}` be a block cipher.
Game RealE
procedure InitializeK
$←{0, 1}k
procedure Fn(x)Return EK (x)
Game Rand{0,1}`
procedure Fn(x)
if T[x ] = ⊥ then T[x ]$←{0, 1}`
Return T[x ]
Can we design A so that
AdvprfE (A) = Pr[RealAE⇒1
]− Pr
[RandA
{0,1}`⇒1]
is close to 1?
Mihir Bellare UCSD 42
![Page 43: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/43.jpg)
Block ciphers as PRFs
Defining property of a block cipher: EK is a permutation for every K
So if x1, . . . , xq are distinct then
• Fn = EK ⇒ Fn(x1), . . . ,Fn(xq) distinct
• Fn random⇒ Fn(x1), . . . ,Fn(xq) not necessarily distinct
This leads to the following attack:
adversary A
Let x1, . . . , xq ∈ {0, 1}` be distinctfor i = 1, . . . , q do yi ← Fn(xi )if y1, . . . , yq are all distinct then return 1else return 0
Mihir Bellare UCSD 43
![Page 44: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/44.jpg)
Real world analysis
Let E : {0, 1}k × {0, 1}` → {0, 1}` be a block cipher
Game RealE
procedure InitializeK
$←{0, 1}k
procedure Fn(x)Return EK (x)
adversary A
Let x1, . . . , xq ∈ {0, 1}` be distinctfor i = 1, . . . , q do yi ← Fn(xi )if y1, . . . , yq are all distinctthen return 1 else return 0
ThenPr[RealAE⇒1
]=
1
because y1, . . . , yq will be distinct because EK is a permutation.
Mihir Bellare UCSD 44
![Page 45: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/45.jpg)
Real world analysis
Let E : {0, 1}k × {0, 1}` → {0, 1}` be a block cipher
Game RealE
procedure InitializeK
$←{0, 1}k
procedure Fn(x)Return EK (x)
adversary A
Let x1, . . . , xq ∈ {0, 1}` be distinctfor i = 1, . . . , q do yi ← Fn(xi )if y1, . . . , yq are all distinctthen return 1 else return 0
ThenPr[RealAE⇒1
]= 1
because y1, . . . , yq will be distinct because EK is a permutation.
Mihir Bellare UCSD 45
![Page 46: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/46.jpg)
Rand world analysis
Let E : {0, 1}K × {0, 1}` → {0, 1}` be a block cipher
Game Rand{0,1}`
procedure Fn(x)
if T[x ] = ⊥ then T[x ]$←{0, 1}`
Return T[x ]
adversary A
Let x1, . . . , xq ∈ {0, 1}` be distinctfor i = 1, . . . , q do yi ← Fn(xi )if y1, . . . , yq are all distinctthen return 1 else return 0
Then
Pr[RandA
{0,1}`⇒1]
= Pr [y1, . . . , yq all distinct] = 1− C (2`, q)
because y1, . . . , yq are randomly chosen from {0, 1}`.
Mihir Bellare UCSD 46
![Page 47: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/47.jpg)
Birthday attack on a block cipher
E : {0, 1}k × {0, 1}` → {0, 1}` a block cipher
adversary A
Let x1, . . . , xq ∈ {0, 1}` be distinctfor i = 1, . . . , q do yi ← Fn(xi )if y1, . . . , yq are all distinct then return 1 else return 0
AdvprfE (A) =
1︷ ︸︸ ︷Pr[RealAE⇒1
]−
1−C(2`,q)︷ ︸︸ ︷Pr[RandA
{0,1}`⇒1]
= C (2`, q) ≥ 0.3 · q(q − 1)
2`
soq ≈ 2`/2 ⇒ AdvprfE (A) ≈ 1 .
Mihir Bellare UCSD 47
![Page 48: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/48.jpg)
Birthday attack on a block cipher
Conclusion: If E : {0, 1}k × {0, 1}` → {0, 1}` is a block cipher, there is anattack on it as a PRF that succeeds in about 2`/2 queries.
Depends on block length, not key length!
` 2`/2 Status
DES, 2DES, 3DES3 64 232 Insecure
AES 128 264 Secure
Mihir Bellare UCSD 48
![Page 49: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/49.jpg)
KR-security versus PRF-security
We have seen two possible metrics of security for a block cipher E
• (T)KR-security: It should be hard to find the target key, or a keyconsistent with input-output examples of a hidden target key.
• PRF-security: It should be hard to distinguish the input-outputbehavior of EK from that of a random function.
Fact: PRF-security of E implies
• KR (and hence TKR) security of E
• Many other security attributes of E
This is a validation of the choice of PRF security as our main metric.
Mihir Bellare UCSD 49
![Page 50: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/50.jpg)
If E is PRF-secure then it is KR-secure
Proposition: Let E : {0, 1}k × {0, 1}` → {0, 1}` be a blockcipher. Given akr-adversary B making q (distinct!) oracle queries, we can construct aPRF adversary A making q oracle queries such that
AdvkrE (B) ≤ AdvprfE (A) + 2k−q` .
The running time of A is that of B plus O(q`).
Interpretation:
E is PRF secure ⇒ AdvprfE (A) is small
⇒ AdvkrE (B) is small⇒ E is KR-secure.
Example: If E = AES and q = 2 then 2k−q` = 2−128.
Our first example of a reduction and a proof by reduction!
Mihir Bellare UCSD 50
![Page 51: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/51.jpg)
Game defining kr-advantage of an adversary B against E
Game KRE
procedure Initialize
K$←{0, 1}k ; i ← 0
procedure Fn(M)i ← i + 1; Mi ← MCi ← E (K ,Mi )Return Ci
procedure Finalize(K ′)win← trueFor j = 1, . . . , i do
If E (K ′,Mj) 6= Cj then win← falseIf Mj ∈ {M1, . . . ,Mj−1} then win← false
Return win
The kr-advantage of B is
AdvkrE (B) = Pr[KRBE ⇒ true]
Mihir Bellare UCSD 51
![Page 52: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/52.jpg)
Games defining prf-advantage of an adversary A against E
Game RealE
procedure InitializeK
$←{0, 1}k
procedure Fn(M)Return E (K ,M)
Game Rand{0,1}`
procedure Fn(M)
if T[M] = ⊥ then T[M]$←{0, 1}`
Return T[M]
The prf-advantage of A is
AdvprfE (A) = Pr[RealAE⇒1
]− Pr
[RandA
{0,1}`⇒1]
Mihir Bellare UCSD 52
![Page 53: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/53.jpg)
Proof of Proposition
Given B we build A as follows:
adversary A
i ← 0; d ← 1K ′ ← BFnKRSim
For j = 1, . . . , i doIf (E (K ′,Mj) 6= Cj) then d ← 0
Return d
subroutine FnKRSim(M)i ← i + 1; Mi ← MCi ← Fn(Mi )return Ci
A runs B, simulating B’s oracle via a subroutine that in turn invokes A’sown Fn oracle. When B returns a key K ′, adversary A returns 1 if K ′ isconsistent with the input-output examples, and 0 otherwise.
Mihir Bellare UCSD 53
![Page 54: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/54.jpg)
Real game analysis
Game RealE
procedure InitializeK
$←{0, 1}k
procedure Fn(M)Return EK (M)
When A is executed in game RealE , subroutine FnKRSim(M) will returnFn(M), which equals EK (M).
So B is getting the same responses it would in game KRE .
So K ′ will be consistent with (M1,C1), . . . , (Mq,Cq) with probability thekr-advantage of B.
So
Pr[RealAE⇒1
]= AdvkrE (B) .
Mihir Bellare UCSD 54
![Page 55: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/55.jpg)
Rand game analysis
Game Rand{0,1}`
procedure Fn(x)
if T[M] = ⊥ then T[M]$←{0, 1}`
Return T[M]
When A is executed in game Rand{0,1}` , subroutine FnKRSim(M) willreturn Fn(M), which is a random `-bit string. So B is getting back asequence of q random, independent `-bit strings.
Claim: Pr[RandA
{0,1}`⇒1]≤ 2k−q` .
Mihir Bellare UCSD 55
![Page 56: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/56.jpg)
Proof of Claim
For a key K ′ ∈ {0, 1}k , consider the event
S(K ′) : E (K ′,Mi ) = Ci for all 1 ≤ i ≤ q
Then consider the event
S : ∃K ′ ∈ {0, 1}k such that S(K ′)
Then by the union bound
Pr[S] ≤∑
K ′∈{0,1}kPr[S(K ′)] ≤ 2k · 2−q` .
We will do many such proofs, and you will be asked to do them onassessments, so spend the time to understand this one!
Mihir Bellare UCSD 56
![Page 57: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/57.jpg)
Our Assumptions
DES, AES are good block ciphers in the sense that they are PRF-secureup to the inherent limitations of the birthday attack and knownkey-recovery attacks.
You can assume this in designs and analyses.
But beware that the future may prove these assumptions wrong!
Mihir Bellare UCSD 57
![Page 58: PSEUDO-RANDOM FUNCTIONScseweb.ucsd.edu/~mihir/cse207/s-prf.pdf · PRF security Adversary advantage depends on its strategy resources: Running time t and number q of oracle queries](https://reader031.vdocuments.us/reader031/viewer/2022022607/5b8622237f8b9a195a8c2ab2/html5/thumbnails/58.jpg)
Exercise
We are given a PRF F : {0, 1}k × {0, 1}k → {0, 1}k and want to build aPRF G : {0, 1}k × {0, 1}k → {0, 1}2k . Which of the following work?
1. Function G (K , x)
y1 ← F (K , x) ; y2 ← F (K , x) ; Return y1‖y2
2. Function G (K , x)
y1 ← F (K , x) ; y2 ← F (K , y1) ; Return y1‖y2
3. Function G (K , x)
L← F (K , x) ; y1 ← F (L, 0k) ; y2 ← F (L, 1k) ; Return y1‖y2
4. Function G (K , x)
[Your favorite code here]
Mihir Bellare UCSD 58